Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

Stars: ✭ 216 (+68.75%)

Mutual labels: static-analysis, security-tools, static-analyzer

D Scanner

Swiss-army knife for D source code

Stars: ✭ 221 (+72.66%)

Mutual labels: static-analysis, linter, lint

mllint

`mllint` is a command-line utility to evaluate the technical quality of Python Machine Learning (ML) projects by means of static analysis of the project's repository.

Stars: ✭ 67 (-47.66%)

Mutual labels: lint, linter, static-analysis

Sbt Dependency Check

SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈

Stars: ✭ 187 (+46.09%)

Mutual labels: static-analysis, devsecops, appsec

Woke

✊ Detect non-inclusive language in your source code.

Stars: ✭ 190 (+48.44%)

Mutual labels: static-analysis, linter, lint

sonar-css-plugin

SonarQube CSS / SCSS / Less Analyzer

Stars: ✭ 46 (-64.06%)

Mutual labels: linter, static-analysis, static-analyzer

Exakat

The Exakat Engine : smart static analysis for PHP

Stars: ✭ 346 (+170.31%)

Mutual labels: static-analysis, linter, lint

Reviewdog

🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

Stars: ✭ 4,541 (+3447.66%)

Mutual labels: static-analysis, linter, lint

pahout

A pair programming partner for writing better PHP. Pahout means PHP mahout 🐘

Stars: ✭ 43 (-66.41%)

Mutual labels: lint, linter, static-analysis

Cflint

Static code analysis for CFML (a linter)

Stars: ✭ 156 (+21.88%)

Mutual labels: static-analysis, linter, lint

Sonar Jproperties Plugin

SonarQube Java Properties Analyzer

Stars: ✭ 5 (-96.09%)

Mutual labels: static-analysis, linter, static-analyzer

Nodejsscan

nodejsscan is a static security code scanner for Node.js applications.

Stars: ✭ 1,874 (+1364.06%)

Mutual labels: static-analysis, lint, devsecops

Protoc Gen Lint

A plug-in for Google's Protocol Buffers (protobufs) compiler to lint .proto files for style violations.

Stars: ✭ 221 (+72.66%)

Mutual labels: static-analysis, linter, lint

Whispers

Identify hardcoded secrets and dangerous behaviours

Stars: ✭ 66 (-48.44%)

Mutual labels: linter, lint, devsecops

sonar-gherkin-plugin

SonarQube Cucumber Gherkin Analyzer

Stars: ✭ 33 (-74.22%)

Mutual labels: linter, static-analysis, static-analyzer

Detekt

Static code analysis for Kotlin

Stars: ✭ 4,169 (+3157.03%)

Mutual labels: linter, lint, static-analysis

Purify

All-in-one tool for managing vulnerability reports from AppSec pipelines

Stars: ✭ 72 (-43.75%)

Mutual labels: security-tools, devsecops, appsec

Squealer

Telling tales on you for leaking secrets!

Stars: ✭ 97 (-24.22%)

Mutual labels: static-analysis, security-tools

Unimport

A linter, formatter for finding and removing unused import statements.

Stars: ✭ 96 (-25%)

Mutual labels: static-analysis, linter

View All Similar Projects ➔

njsscan

njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

Made with in India

Support njsscan

Donate via Paypal:
Sponsor the Project:

e-Learning Courses & Certifications

OpSecX Node.js Security: Pentesting and Exploitation - NJS

Installation

pip install njsscan

Requires Python 3.6+ and supports only Mac and Linux

Command Line Options

$ njsscan
usage: njsscan [-h] [--json] [--sarif] [--sonarqube] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]

positional arguments:
  path                  Path can be file(s) or directories with source code

optional arguments:
  -h, --help            show this help message and exit
  --json                set output format as JSON
  --sarif               set output format as SARIF 2.1.0
  --sonarqube           set output format compatible with SonarQube
  -o OUTPUT, --output OUTPUT
                        output filename to save the result
  -c CONFIG, --config CONFIG
                        Location to .njsscan config file
  --missing-controls    enable missing security controls check
  -w, --exit-warning    non zero exit code on warning
  -v, --version         show njsscan version

Example Usage

$ njsscan test.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ███████████████████████████ 160

njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID     │ express_xss                                                                                   │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP       │ A1: Injection                                                                                 │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE         │ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY    │ ERROR                                                                                         │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES       │ ╒════════════════╤═══════════════════════════════════════════════╕                            │
│             │ │ File           │ test.js                                       │                            │
│             │ ├────────────────┼───────────────────────────────────────────────┤                            │
│             │ │ Match Position │ 5 - 46                                        │                            │
│             │ ├────────────────┼───────────────────────────────────────────────┤                            │
│             │ │ Line Number(s) │ 7: 8                                          │                            │
│             │ ├────────────────┼───────────────────────────────────────────────┤                            │
│             │ │ Match String   │ const { name } = req.query;                   │                            │
│             │ │                │     res.send('<h1> Hello :' + name + "</h1>") │                            │
│             │ ╘════════════════╧═══════════════════════════════════════════════╛                            │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛

nodejsscan SAST

nodejsscan, built on top of njsscan provides a full fledged vulnerability management user interface along with other nifty integrations.

See nodejsscan

Python API

>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
    'templates': {},
    'nodejs': {
        'node_sqli_injection': {
            'files': [{
                'file_path': '/node_source/true_positives/sqli_node.js',
                'match_position': (1, 24),
                'match_lines': (4, 11),
                'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n    if (error) {\n\n        throw error;\n\n    }\n\n    console.log(results);'
            }],
            'metadata': {
                'owasp': 'A1: Injection',
                'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
                'severity': 'ERROR'
            }
        }
    },
    'errors': []
}

Configure njsscan

A .njsscan file in the root of the source code directory allows you to configure njsscan. You can also use a custom .njsscan file using --config argument.

---
- nodejs-extensions:
  - .js

  template-extensions:
  - .new
  - .hbs
  - ''

  ignore-filenames:
  - skip.js

  ignore-paths:
  - __MACOSX
  - skip_dir
  - node_modules

  ignore-extensions:
  - .jsx

  ignore-rules:
  - regex_injection_dos
  - pug_jade_template

Suppress Findings

You can suppress findings from javascript source files by adding the comment // njsscan-ignore: rule_id1, rule_id2 to the line that trigger the findings.

Example:

app.get('/some/redirect', function (req, res) {
    var target = req.param("target");
    res.redirect(target); // njsscan-ignore: express_open_redirect
});

CI/CD Integrations

You can enable njsscan in your CI/CD or DevSecOps pipelines.

Github Action

Add the following to the file .github/workflows/njsscan.yml.

name: njsscan
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
jobs:
  njsscan:
    runs-on: ubuntu-latest
    name: njsscan check
    steps:
    - name: Checkout the code
      uses: actions/[email protected]
    - name: nodejsscan scan
      id: njsscan
      uses: ajinabraham/[email protected]
      with:
        args: '.'

Example: dvna with njsscan github action

Github Code Scanning Integration

Add the following to the file .github/workflows/njsscan_sarif.yml.

name: njsscan sarif
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
jobs:
  njsscan:
    runs-on: ubuntu-latest
    name: njsscan code scanning
    steps:
    - name: Checkout the code
      uses: actions/[email protected]
    - name: nodejsscan scan
      id: njsscan
      uses: ajinabraham/[email protected]
      with:
        args: '. --sarif --output results.sarif || true'
    - name: Upload njsscan report
      uses: github/codeql-action/[email protected]
      with:
        sarif_file: results.sarif

Gitlab CI/CD

Add the following to the file .gitlab-ci.yml.

stages:
    - test
njsscan:
    image: python
    before_script:
        - pip3 install --upgrade njsscan
    script:
        - njsscan .

Example: dvna with njsscan gitlab

Travis CI

Add the following to the file .travis.yml.

language: python
install:
    - pip3 install --upgrade njsscan
script:
    - njsscan .

Docker

Prebuilt image from DockerHub

docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src

Build Locally

docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 128

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (5) 🔗